k-now

The Office of the Australian Information Commissioner (OAIC) has just released its Privacy guidance on age assurance technologies. Timed alongside the commencement of obligations under the Social Media Minimum Age (SMMA) Act, this guidance provides the clearest picture yet of what regulators expect from digital platforms.

For platforms operating in Australia, the message is clear: age assurance is no longer just a policy debate. It is a 2026 reality, and compliance is fundamentally an architecture problem.

Fortunately, as explained in more detail below, the OAIC’s 12 privacy principles and best practices provide striking validation of the core infrastructure approach we have built at k-ID and championed through the OpenAge Initiative. Here is what matters most for platforms building age-adaptive experiences today.

1. Age Assurance is Not Identity Verification

The OAIC draws a hard line between establishing age and verifying identity. The guidance explicitly states that an age check is not a vehicle to collect identity information.

This is a critical distinction. Legacy age and identity verification providers often rely on over-extractive architectures that pull far more data than necessary. The OAIC is telling platforms to prefer binary outcomes, such as a simple '16+ yes/no', rather than collecting exact dates of birth or retaining full identity documents.

At k-ID, this principle of data minimisation is foundational. Our AgeKit+ solution processes age signals transiently, returning only the necessary binary “pass/fail” assertion to the platform without ever revealing a user's identity.

2. The Orchestration Model is the Gold Standard

Perhaps the most significant validation in the guidance is a case study detailing an orchestrator that routes a verified age signal without touching any personal data. The case study for APP 3 describes a hypothetical “sayID,” which operates as an orchestrator of age assurance providers. “In the background, sayID’s system sends a request to [the user’s] bank to send the 18+ age token to [the relying party]. No personal information or any banking information is handled by sayID in this process.” The OAIC confirms that this model complies with the principle of data minimization.

The case study’s description is architecturally identical to how k-ID operates and integrates with Australian banking system ConnectID. By acting as a neutral intermediary that facilitates the presentation of a verified credential, k-ID can provide platforms with the highest level of privacy protection available under Australian law, while preventing the unnecessary transfer or processing of sensitive personal information. It is rare to see a regulator provide such direct validation of a specific technical approach.

3. Ring-Fenced Architecture is a Requirement

The guidance makes it clear that age assurance data must be physically and logically separated from the rest of a platform's data estate. Advertising, analytics, and machine learning pipelines must be blocked from accessing this purpose-built store.

This is exactly why k-ID was built as an infrastructure layer. Platforms integrating k-ID access age status via a read-only API. The underlying data used to verify age is never stored within k-ID’s systems, allowing platforms to demonstrate to the OAIC that they have implemented secure and transient processing by design.

4. The Interoperability Opportunity

The guidance also opens a constructive dialogue around how platforms handle secondary data use. Currently, the OAIC outlines how platforms might share age tokens with one another, but reiterates that age signals may only be shared with the “voluntary, informed, current, specific and unambiguous consent” of the end user. .

This provides a fantastic starting point for us to introduce the next evolution of this concept: user-controlled credentials. With AgeKeys, there is no risk from platforms clandestinely sharing age signals in violation of the OAIC’s transparency principles; rather, the end user receives their AgeKey, and is in total control at all times with respect to with whom that signal is shared. We look forward to engaging with the OAIC further to explore how this user-centric approach of AgeKeys can reduce friction and enhance privacy across the ecosystem.

Operationalising Compliance

Australia is now one of the most clearly defined age assurance markets in the world. Between the SMMA Act and this new guidance, platforms have the clarity they need to act.

The real challenge isn't understanding the law. It is operationalising compliance without slowing down product teams or collecting unnecessary data. With k-ID's multi-method orchestration and the interoperability of AgeKeys, platforms can turn this regulatory requirement into a seamless, privacy-preserving reality.

Do get in touch if you would like to learn how to integrate age assurance as a scalable layer for your Australian operations.

You can download the full OAIC guidance by clicking this link.

Other people also viewed

Article

Protecting Children's Privacy in the AI Toy Industry

Article

Australia's New Privacy Guidance: Why Age Assurance is an Architecture Solution

Press Release

‍k-ID partners with Wizards of the Coast | Hasbro to bring enhanced safety and parental consent to digital experiences

k-ID is a global compliance platform that helps digital products deliver age-appropriate experiences across markets.
Products
Developers
Company
Press & Media KitTerms of ServicePrivacy PolicyCookie Policy
Cookie Settings
By clicking “Accept all cookies”, you allow us to store cookies on your device to improve site navigation and analyze usage. Read our Privacy Policy to learn more.
Necessary cookies onlyAccept all cookies
Customize Settings